Skip to content

Instantly share code, notes, and snippets.

Avatar
👋

Pedram Amini pedramamini

👋
View GitHub Profile
@pedramamini
pedramamini / 20200730-emotet.txt
Created Jul 31, 2020
Emotet samples from 7/30/2020 with VT score (out of ~60) and InQuest score (out of 10).
View 20200730-emotet.txt
00077dbdfe4e79c38048d2060cb90ea2bdd50cc346a45bae87ea6093ddb02321 vt=25 iq=9
0039413ea9580579720c262bf207d64bacac7b1c93056c8b5fa2f2347714b096 vt=27 iq=9
005307ad7426c4c1b014c27f51ba5c0ad2ca752195099a7378e3d622cdf7a2d6 vt=29 iq=9
007fc402dd61e8222bb4fd1214544b0a620f622aaa186b1bd5a2207613fdd558 vt=28 iq=9
00812e8bf247cc4740941ed973f367678110761be944eef39e69217fc78412cb vt=25 iq=9
00884a49002e25be473b8704fa9935f7cfcbb2d4bf75dc4fa054f16019eac82d vt=24 iq=9
00dd0eb0c5acbcc376a26eb4f974187be2bac8a4e9c00876faa23d656953fa53 vt=28 iq=9
014e0bfbd01c796a79ea0324177bf7bb89e6e1d7dccd58008d62024f1bbcfe5d vt=27 iq=9
01663b94d847370d937c017344092fb204b3fef3bca2c0d26c9f49ebac946525 vt=29 iq=9
0195eda6f0dbf03b6fa7c2689f538bb998ce4cc533fd7117c956c7c5c2f62437 vt=27 iq=9
View xor201_macro.vba
' Our comments are prefixed with the string "[InQuest]". Other comments are preserved originals from the macro.
' The sample is available for download from InQuest Labs:
'
' https://labs.inquest.net/dfi/sha256/12d21da9bd0f7d877e04e59ad347b0e8787124c9f0ec170a913451acfb14a3b6
'
' Examining the OLE directory structure with oledump:
'
' $ oledump.py 12d21da9bd0f7d877e04e59ad347b0e8787124c9f0ec170a913451acfb14a3b6
' 1: 146 '\x01CompObj'
' 2: 6 '\x03ObjInfo'
View xor201_extractor.py
import sys
if len(sys.argv) != 2:
sys.stderr.write("usage: %s <input path>\n" % sys.argv[0])
sys.exit(1)
path = sys.argv.pop()
data1 = []
data2 = []
data3 = []
@pedramamini
pedramamini / the_carver.py
Last active Mar 16, 2019
Carve files out of a blob.
View the_carver.py
#!/usr/bin/env python
# source: https://gist.github.com/pedramamini/54df2648a1b73adf9a0d6d0b1a75ca0a
import os
import re
import sys
import errno
import string
# debug output.
@pedramamini
pedramamini / disable_ddeauto.reg
Created Oct 20, 2017 — forked from wdormann/disable_ddeauto.reg
Disable DDEAUTO for Outlook, Word, and Excel versions 2010, 2013, 2016
View disable_ddeauto.reg
Windows Registry Editor Version 5.00
[HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Word\Options]
"DontUpdateLinks"=dword:00000001
[HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Word\Options]
"DontUpdateLinks"=dword:00000001
[HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Options]
"DontUpdateLinks"=dword:00000001
@pedramamini
pedramamini / XProtect.yara
Created Oct 19, 2017
Apple OSX built in file defense is powered by YARA: /System/Library/CoreServices/XProtect.bundle/Contents/Resources
View XProtect.yara
import "hash"
private rule Macho
{
meta:
description = "private rule to match Mach-O binaries"
condition:
uint32(0) == 0xfeedface or uint32(0) == 0xcefaedfe or uint32(0) == 0xfeedfacf or uint32(0) == 0xcffaedfe or uint32(0) == 0xcafebabe or uint32(0) == 0xbebafeca
}
@pedramamini
pedramamini / yara_fn.py
Created Aug 19, 2016 — forked from williballenthin/yara_fn.py
generate a yara rule that matches the basic blocks of the current function in IDA Pro
View yara_fn.py
'''
IDAPython script that generates a YARA rule to match against the
basic blocks of the current function. It masks out relocation bytes
and ignores jump instructions (given that we're already trying to
match compiler-specific bytes, this is of arguable benefit).
If python-yara is installed, the IDAPython script also validates that
the generated rule matches at least one segment in the current file.
author: Willi Ballenthin <william.ballenthin@fireeye.com>
@pedramamini
pedramamini / 00_close_to_low.py
Last active Apr 22, 2016
Stock Market Games... these are from 2008.
View 00_close_to_low.py
import sys
import thax
import datetime
y = thax.misc.finance.yahoo()
my_adds = ["ALU", "AMZN", "CMG", "COMS", "DCA", "PLA", "PZZA", "RICK", "UA", "VMW"]
sp_500 = ["BBT", "BDX", "BBBY", "BMS", "BBY", "BIG", "BIIB", "BJS", "BDK", "HRB", "BMC", "BA", "BXP", "BSX", "BMY", "BRCM", "BF.B", "BNI", "CHRW", "CA", "COG", "CAM", "CPB", "COF", "CAH", "CCL", "CAT", "CBG", "CBS", "CELG", "CNP", "CTX", "CTL", "CF", "SCHW", "CHK", "CVX", "CB", "CIEN", "CI", "CINF", "CTAS", "CSCO", "CIT", "C", "CTXS", "CLX", "CME", "CMS", "COH", "KO", "CCE", "CTSH", "CL", "CMCSA", "CMA", "CSC", "CPWR", "CAG", "COP", "CNX", "ED", "STZ", "CEG", "CVG", "CBE", "GLW", "COST", "CVH", "COV", "CSX", "CMI", "CVS", "DHI", "DHR", "DRI", "DVA", "DF", "DE", "DELL", "DDR", "DVN", "DTV", "DFS", "D", "RRD", "DOV", "DOW", "DPS", "DTE", "DD", "DUK", "DYN", "ETFC", "EMN", "EK", "ETN", "EBAY", "ECL", "EIX", "EP", "ERTS", "EQ", "EMC", "EMR", "ESV", "ETR", "EOG", "EFX", "EQR", "EL", "EXC", "EXPE", "EXPD", "ESRX", "XOM", "FDO", "FAST", "FII", "FDX", "FIS", "FITB
@pedramamini
pedramamini / osx_messages_peek.py
Created May 20, 2015
Extract URLs and related contact information from your OSX Messages.app database.
View osx_messages_peek.py
#!/usr/bin/env python
# Extract URLs and related contact information from your OSX Messages.app database.
#
# TODO
# - automatically resolve username and discover contacts database (by largest item count if there is more than one).
# - make a machine parseable format.
# - keep track of last found URL (by hash?), allow for periodic run of script and addition to output.
# - update to latest gruber regex.
@pedramamini
pedramamini / blaze.py
Last active Aug 29, 2015
Blaze your way through Tinder (the dating app).
View blaze.py
#!/usr/bin/env python
"""
blaze through tinder
Setup:
- proxy / sniff out your auth token and edit constant under imports.
- API may have changed.
- it's hard coded to search for girls looking for guys.
- this was a quick hack, i'm not maintaining it or answering questions about it.
You can’t perform that action at this time.